During checkout, my customer is redirected to an external payment page, from my bank, to enter his payment information.
From this page, customer can either validate the payment or cancel.
Cancellation redirects to my website with a POST, while a redirection after validation redirect to my website with a GET.
GET redirection to my website works well.
POST redirection to my website generates a new PHPSESSID, so my customer looses his session (in other words, he looses his cart and is disconnected).
It seems to be linked to some new security standards with samesite set to Lax for PHPSESSID
https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Set-Cookie/SameSite
it is easy to reproduce if you create this HTML on your local PC:
<HTML> <BODY> <form action="https://yourwebsite.fr" method="GET"> <input type="submit" value="Submit"> </form> </BODY> </HTML>
if you first go to your website so a PHPSESSID is generated, then open this local file with chrome, and then press "submit" button, it will redirect to your website with same PHPSESSID, but if you now replace GET by POST:
<HTML> <BODY> <form action="https://yourwebsite.fr" method="POST"> <input type="submit" value="Submit"> </form> </BODY> </HTML>
refresh your local page, then press 'submit' button, you will get a new PHPSESSID!
and so you'll be anonymous till you reconnect.
I know it is expected behavior because of Lax, so my question is how to have PHPSESSID being "Secure;SameSite='None'" instead of "SameSite=Lax'
I'm using nginx so tried things like this:
proxy_cookie_path / "/; SameSite=strict; secure; httponly "; add_header Set-Cookie "Path=/; SameSite=strict; secure; httponly "; proxy_cookie_path ~(.*) "$1; SameSite=strict; secure; httponly";
but it does not change any cookie configuration.
any idea where to make the change?
in php.ini? nginx? magento config?
thanks
Hi @webrod,
Client session loss mostly occurs when redirecting from an external checkout page to Magento. Paypal has a pretty good method you can try it.
Use after plugin to handle:
<type name="Magento\Framework\Session\SessionStartChecker"> <plugin name="transparent_session_checker" type="Name\Module\Plugin\TransparentSessionChecker"/> </type>
Please refer to this link for more information about code processing.
Hope this can help you! Let me know if you need further assistance.
___________
If issue solved, Click Kudos & Accept as Solution.
Hi @webrod,
Hope this can help you! Let me know if you need further assistance.
Hi Lit Extension Expert ,
Kindly advice me.
1. How can we solve his issues on Magento ver. 2.2.5, Because following class or is not available in Magento ver. 2.2.5 "Magento\Framework\Session\SessionStartChecker"?
2. If we have multiple redirect Payment gateways (like: paypal, ipay88 and local bank redirect gateway) in a magento instance, hot to achieve this solution?
Thanks in Advance